Gaming & Culture —

Sony: Anonymous provided cover for PSN attack

Sony today released a letter blaming Anonymous for providing cover for the …

The House Subcommittee on Commerce, Manufacturing and Trade asked Sony to testify at a hearing called "The Threat of Data Theft to American Consumers," so the company could answer a series of questions about its recent PlayStation Network security breach. Sony declined to attend the meeting, but the company did answer a series of questions put to them about the attack, and the letter to committee chairwoman Rep. Mary Bono Mack (R-CA) has been published on the official PlayStation Blog.

Rep. Bono Mack slammed Sony for not showing up in person; during later questioning, she held up Sony's letter and said that her office had received it this morning. The document contains interesting details about the attack, as well as more evidence that Anonymous was involved (perhaps unwittingly) in what went down.

On April 19, Sony noticed that some of the 130 servers in the PlayStation Network had rebooted themselves, an activity that was not officially scheduled. The network service team began digging into the logs to find out what was going on, and on April 20 they found evidence of the attack and reason to believe information had been stolen. "At the time, the network service team was unable to determine what type of data had been transferred, and they therefore shut the PlayStation Network system down," said the letter. On April 26, we were told that our personal data had been compromised.

So how did the attackers gain entrance? Around two weeks ago, Sony was defending itself against constant denial of service attacks, and it seems the entirety of their online team was busy dealing with that threat.

"Detection was difficult because of the sheer sophistication of the intrusion," Sony wrote in the letter. "Second, detection was difficult because the criminal hackers exploited a system software vulnerability." A company executive had previously stated that the hacker gained entrance through a "known vulnerability" that the company was unaware of. Sony also claims that because its team was so busy defending against the denial of service attacks, detection of the hack was even more difficult. Sony claimed that this was "perhaps by design."

Sony also claimed it found a files on its server named "Anonymous," with the text "We are Legion." The document also places the blame of the denial of service attacks directly on Anonymous.

"In any case, those who participated in the denial of service attacks should understand that—whether they knew it or not—they were aiding in a well-planned, well-executed, large-scale theft that not only left Sony a victim, but also Sony's many customers around the world," Sony stated.

Sony didn't provide information on the breach to the FBI until April 22. A briefing to give law enforcement details of the breach was scheduled for April 27. Sony has also revealed that 12.3 million account holders worldwide have credit card information on file with the company, and that number includes both current and expired cards. "As of today, the major credit card companies have not reported any fraudulent transactions that they believe are the direct result of this cyber attack," Sony claimed.

Latest Ars Video >

War Stories | Ultima Online: The virtual ecology

When creating Ultima Online, Richard Garriott had grand dreams. He and Starr Long planned on implementing a virtual ecology into their massively multiplayer online role-playing game. It was an ambitious system, one that would have cows that graze and predators that eat herbivores. However, once the game went live a small problem had arisen...

War Stories | Ultima Online: The virtual ecology

War Stories | Ultima Online: The virtual ecology

When creating Ultima Online, Richard Garriott had grand dreams. He and Starr Long planned on implementing a virtual ecology into their massively multiplayer online role-playing game. It was an ambitious system, one that would have cows that graze and predators that eat herbivores. However, once the game went live a small problem had arisen...

Of course the whole point of "anonymous" is that there is no way to prove or disprove membership since there is no real organization. They will no doubt serve as the hacker bogey-man for the foreseeable future.

Seems like it would be more likely that the psn hackers took advantage of anonymous's activities to execute their intrusion. makes for great cover, and they're probably hoping Sony and the Feds will go after anonymous as the "low hanging fruit" of the case.

oh, and btw, i noted that the initial blurb had the file named "anonymouse", that's one secretive mouse!

"In any case, those who participated in the denial of service attacks should understand that—whether they knew it or not—they were aiding in a well-planned, well-executed, large-scale theft that not only left Sony a victim, but also Sony's many customers around the world,"

Yeah, thats the beauty of an anonymous entity. The hack may have been completely disconnected from anonymous and its ddos. All you have to do in order to execute anything on behalf of anonymous is to claim that you are anonymous. There are group actions, but there is no line between sanctioned or non-samctioned anonymous acts. Claiming no identity or leadership has that effect.

"In any case, those who participated in the denial of service attacks should understand that—whether they knew it or not—they were aiding in a well-planned, well-executed, large-scale theft that not only left Sony a victim, but also Sony's many customers around the world,"

So?

The most important implication of the quote is that, in the end, anonymous by and large is just a large group of tools waiting to be abused by whomever's smart enough to use them. This isn't new thinking either.

"In any case, those who participated in the denial of service attacks should understand that—whether they knew it or not—they were aiding in a well-planned, well-executed, large-scale theft that not only left Sony a victim, but also Sony's many customers around the world,"

So?

So plenty of those individuals may have unwittingly been hurting themselves. Anon and sony customers probably are not mutually exclusive. Sort of like organizing a protest in front of a bank, people may want to join the protest but probably dont want to provide cover for their money/info to be stolen from the bank.

wow all you have to do to throw a company like sony off your track is claim your from annonymous and they buy it hook line and sinker. No proof is needed because there is nobody for the media to contact regarding any incident they are indeed legion and growing given that they now include anybody that can hack sony thats 2 so far not including the thousands who took part in the ddos attack (distributed denial of service).

Sony can try to shift blame to Anonymous all they want, it doesn't alter the fact that their PSN security measures were circumvented. Any security flaws in their system existed prior to the DDOS attacks.

Sony can try to shift blame to Anonymous all they want, it doesn't alter the fact that their PSN security measures were circumvented. Any security flaws in their system existed prior to the DDOS attacks.

Sony can try to shift blame to Anonymous all they want, it doesn't alter the fact that their PSN security measures were circumvented. Any security flaws in their system existed prior to the DDOS attacks.

Sony can try to shift blame to Anonymous all they want, it doesn't alter the fact that their PSN security measures were circumvented. Any security flaws in their system existed prior to the DDOS attacks.

"Second, detection was difficult because the criminal hackers exploited a system software vulnerability." A company executive had previously stated that the hacker gained entrance through a "known vulnerability" that the company was unaware of.

Really? That's their excuse. A KNOWN vulnerability that they did not KNOW about? Really? That's the best they can come up with. Pretty much all known security vulnerabilities are corrected through a patch process. This is pretty much standard for most applications. So what Sony is trying to tell me is they 1) They have a piss poor network security team who knows nothing of watching and subscribing to security alerts. And 2) They just didn't give a crap and never bothered to patch their systems in a timely manner.

"Second, detection was difficult because the criminal hackers exploited a system software vulnerability." A company executive had previously stated that the hacker gained entrance through a "known vulnerability" that the company was unaware of.

Really? That's their excuse. A KNOWN vulnerability that they did not KNOW about? Really? That's best they can come up with. Pretty much all known security vulnerabilities are corrected through a patch process. This is pretty much standard for most applications. So what Sony is trying to tell me is they 1) They have a piss poor network security team who knows nothing of watching and subscribing to security alerts. And 2) They just didn't give a crap and never bothered to patch their systems in a timely manner.

Wow, just....wow.

++ on this.

Best practices demand that you keep all of your software updated. If it was a known issue, it was probably fixed in a more recent release of the security software. Just because Sony employees were too lazy to read release notes and/or update their software is no excuse.

"In any case, those who participated in the denial of service attacks should understand that—whether they knew it or not—they were aiding in a well-planned, well-executed, large-scale theft that not only left Sony a victim, but also Sony's many customers around the world,"

So?

The most important implication of the quote is that, in the end, anonymous by and large is just a large group of tools waiting to be abused by whomever's smart enough to use them. This isn't new thinking either.

I think the point is that this large group of tools may be totally happy with being used this way.

Erm, if I'm under attack from hackers at work then I want to check more often that I'm patched up to date against known vulnerabilities. This is FUD from Sony. Their admins dropped the ball and they are spinning it to blame faceless hackers.

A company executive had previously stated that the hacker gained entrance through a "known vulnerability" that the company was unaware of.

Really? That's their excuse. A KNOWN vulnerability that they did not KNOW about? Really?[snip]Wow, just....wow.

Indeed. Good to see they're doing their somewhere-between-absolute-and-nonexistent best. I wonder if that was a wording error? Or if they just couldn't not say that, because it will be figured out and they don't want to suffer from perjury. Because...seriously, that is a pretty lame defense "Oh, they were well coordinated...and oh yeah, we also were running out of date, insecure stuff."

I find it plausible that they were distracted by the Anonymous DoS attack.

If not for the DoS, people would have been using the network to play games. Why would they not have been equally distracting to the network admins?

If my business's network were under attack from anyone, DoS or otherwise, Anonymous or otherwise, that would have made me more vigilant against other risks, not less. Under DoS from Anonymous, would it not be reasonable to suspect they might be doing something further? As a network admin, would you really trust Anon not to be doing something more? (I'm not saying I think they did, just that I think it would have been prudent to wonder).

"Second, detection was difficult because the criminal hackers exploited a system software vulnerability." A company executive had previously stated that the hacker gained entrance through a "known vulnerability" that the company was unaware of.

Really? That's their excuse. A KNOWN vulnerability that they did not KNOW about? Really? That's the best they can come up with. Pretty much all known security vulnerabilities are corrected through a patch process. This is pretty much standard for most applications. So what Sony is trying to tell me is they 1) They have a piss poor network security team who knows nothing of watching and subscribing to security alerts. And 2) They just didn't give a crap and never bothered to patch their systems in a timely manner.

Wow, just....wow.

Curious about this quotation too. Is Sony trying to say that there was part of their system that is known to be vulnerable to attack, but they didn't realize that the part was actually in their system?

It was the United States Army who hack the psn because osama bin laden played black ops and had his home address on the psn, they recognized him because he was the only player in the world who blows himself up with a hand grenade each time he played.

"As of today, the major credit card companies have not reported any fraudulent transactions that they believe are the direct result of this cyber attack," Sony claimed.

Is anyone surprised by this? I assumed this would be the case, that the attacker is in it "for the lulz" to bring the heat down on Sony, and not to hurt Sony's customers. This move by Sony, to try to piggyback onto any victim-sympathy for their customers, really grates me for some reason.

"In any case, those who participated in the denial of service attacks should understand that—whether they knew it or not—they were aiding in a well-planned, well-executed, large-scale theft that not only left Sony a victim, but also Sony's many customers around the world,"

So?

The most important implication of the quote is that, in the end, anonymous by and large is just a large group of tools waiting to be abused by whomever's smart enough to use them. This isn't new thinking either.

I think the point is that this large group of tools may be totally happy with being used this way.

True. While Anon has some really smart people right on the top, most of the others 99+% (?) are 12 years old and wondering what this is. Any publicity is good publicity to them, and if its bad publicity it would quickly get converted to "lulz" in their minds. I think quite a few of them are actually surprised that many think of them as a serious and good force (at times) rather than a bunch of people who give new arguments for chaos theory.

While I do own a PS3 and don't take part in DDoSes... if I did, in hindsight, I would have def taken part in the above mentioned DDoS against Sony.Few other companies deserve this as much as the tools at Sony does.

Of course the whole point of "anonymous" is that there is no way to prove or disprove membership since there is no real organization. They will no doubt serve as the hacker bogey-man for the foreseeable future.

While there is the fear of it serving as the bogey-man, i think its very plausible that they played a part in this.

For all the good anonymous has done/does, this is the downside of vigilante justice.

"Second, detection was difficult because the criminal hackers exploited a system software vulnerability." A company executive had previously stated that the hacker gained entrance through a "known vulnerability" that the company was unaware of.

Really? That's their excuse. A KNOWN vulnerability that they did not KNOW about? Really? That's best they can come up with. Pretty much all known security vulnerabilities are corrected through a patch process. This is pretty much standard for most applications. So what Sony is trying to tell me is they 1) They have a piss poor network security team who knows nothing of watching and subscribing to security alerts. And 2) They just didn't give a crap and never bothered to patch their systems in a timely manner.

Wow, just....wow.

++ on this.

Best practices demand that you keep all of your software updated. If it was a known issue, it was probably fixed in a more recent release of the security software. Just because Sony employees were too lazy to read release notes and/or update their software is no excuse.

That's completely bogus. There are plenty of known, unpatched, vulnerabilities in software. For example, the TCP DOS vulnerability, which will specifically not be fixed for Windows XP or 2000.

That happens to be one example I know off the top of my head, but there's no particular shortage of known, unpatched vulnerabilities.

Erm, if I'm under attack from hackers at work then I want to check more often that I'm patched up to date against known vulnerabilities. This is FUD from Sony. Their admins dropped the ball and they are spinning it to blame faceless hackers.

Not only that but common sense dictates that if you come under some form of attack such as a DoS, you don't relax your security on your neighboring systems. Quite the opposite, you pull your pants up more, tighten your belt and become even more diligent in your network security. Every time Sony comes out with a new statement about the events of the attack and their reactions it just shows more and more how incompetent they really are. I am beginning to believe they honestly walked around thinking amongst themselves, "Hey, we're Sony. No ones gonna hack us."

Ok, so maybe the ddos was used as a smokescreen, blah blah blah. This particular statement is what stands out to me:

"Second, detection was difficult because the criminal hackers exploited a system software vulnerability." A company executive had previously stated that the hacker gained entrance through a "known vulnerability" that the company was unaware of."

So there was a vulnerability known to everyone but the Sony techs? Bad form.

Sony needs to answer for the results of this hack. Some people defending Sony are saying things like "If your money gets stolen from a bank, do you blame the bank?" or "If somebody steals your stuff from your parents' house, do you blame your dad?". The answer is yes, if the bank left the vault open with nobody minding security or mom and dad left my stuff in the garage with the garage door open.

It was Sony's job to keep that data secure. They failed. End of excuses.

Is anyone surprised by this? I assumed this would be the case, that the attacker is in it "for the lulz" to bring the heat down on Sony, and not to hurt Sony's customers. This move by Sony, to try to piggyback onto any victim-sympathy for their customers, really grates me for some reason.

I think I read somewhere that some of the information stolen was already available for purchase, in the $100k range. My memory could be faulty, though.